Organizations can ignore the BEAST attack against SSL today, but the tools behind the exploit will only continue to evolve

InfoWorld|Oct 4, 2011

Ever since rumors started to spread about Thai Duong and Juliano Rizzo's BEAST attack against SSL/TLS, onlookers have fretted as to just how serious a threat it poses. In a nutshell, the attack is serious -- though for the time being, it's difficult to pull off because a would-be attacker has to work pretty hard to ensure that the target meets multiple preconditions. Unfortunately, the tools to pull off the attack are certain to evolve -- and many IT organizations aren't even taking the simple, necessary steps to protect themselves today.

The mere fact that the attack can be successful at all is significant. SSL/TLS is a VPN technology. VPNs are, by definition, supposed to keep your information safe even when it's being transmitted via an insecure network medium and a malicious party can intercept your protected traffic. The BEAST attack somewhat breaks SSL/TLS's VPN protections. In this sense, it's fairly important. With the right preconditions, a cyber criminal can steal your protected HTTPS cookie, which then essentially allows him or her to highjack your active HTTPS session. Make no mistake about it: The BEAST attack works as claimed.

Two important facts make the threat less serious, however: the aforementioned preconditions (which I'll discuss a bit later) and the fact that defenses already exist for many scenarios. The BEAST attack can be successful against pre-SSL 3.1/TLS 1.1 VPN protocols, but many browsers already allow you to choose post-SSL 3.1/TLS 1.1 protection. Some of the browser vendors have even implemented custom fixes that don't fix the holes in the earlier protocols -- but that specifically defang the BEAST's attack methods.

Microsoft, for example, has published a "cipher order" work-around for Internet Explorer that's even effective for versions of IE that have the latest SSL/TLS protocols (for example, IE running on Windows XP). Unfortunately, because BEAST isn't causing worldwide, prolific attacks now, many vendors and websites are going to ignore the warning or be slow in response. That's plain wrong. There shouldn't have to be more blood on the ground before we fix the problem. Unfortunately, that's the way we've always solved problems as a society, especially when facing online threats.

What protects most of us right now is the series of significant preconditions that must be in place before an attacker can launch a successful BEAST attack against a given target. First, the attacker must have a man-in-the-middle connection in place between the victim's client computer and the victim's intended HTTPS website. This precondition isn't that hard to accomplish. Several tools, including one of my favorite demonstration tools, Cain & Abel, make man-in-the-middle attacks truly as easy as clicking a button.